b'OFFICE OF           Report of Evaluation \n\nINSPECTOR GENERAL\n                              OIG 2012 Evaluation of the\n                             Farm Credit Administration\xe2\x80\x99s\n                                     Compliance with the\n                             Federal Information Security\n                                        Management Act\n\n                                      November 9, 2012\n\n\n                            E-12-01\n\n                          Tammy Rapp\n                        Auditor-in-Charge\n\n\n\n\n                    FARM CREDIT ADMINISTRATION\n\x0cMemorandum\t                                                         Office of Inspector General\n                                                                    1501 Farm Credit Drive\n                                                                    McLean, Virginia 22102-5090\n\n\n\n\nNovember 9, 2012\n\n\nThe Honorable Leland A. Strom, Chairman and Chief Executive Officer\nThe Honorable Kenneth A. Spearman, Board Member\nThe Honorable Jill Long Thompson, Board Member\nFarm Credit Administration\n1501 Farm Credit Drive\nMcLean, Virginia 22102-5090\n\nDear Chairman Strom and Board Members Spearman and Long Thompson:\n\nThe Office of the Inspector General completed the 2012 independent evaluation of the Farm Credit\nAdministration\xe2\x80\x99s compliance with the Federal Information Security Management Act (FISMA). The\nobjectives of this evaluation were to perform an independent assessment of FCA\xe2\x80\x99s information\nsecurity program and assess FCA\xe2\x80\x99s compliance with FISMA.\n\nThe results of our evaluation revealed that FCA has an effective information security program, and\nwe did not identify any significant deficiencies in the Agency\xe2\x80\x99s information security program.\n\nWe appreciate the courtesies and professionalism extended to the evaluation staff. If you have any\nquestions about this evaluation, I would be pleased to meet with you at your convenience.\n\nRespectfully,\n\n\n\n\nCarl A. Clinefelter\nInspector General\n\x0cFarm Credit Administration\nOffice of Inspector General   November 9, 2012\n                                                 1\n\x0cIntroduction and Background\nObjectives, Scope, and Methodology\nOverall Conclusion\nAreas Evaluated by Offices of Inspector General (OIG) During FY 2012\n  1.  Continuous Monitoring Management\n  2. Configuration Management\n  3. Identity and Access Management\n  4. Incident Response and Reporting\n  5. Risk Management\n  6. Security Training\n  7. Plans of Actions and Milestones (POA&M)\n  8. Remote Access Management\n  9. Contingency Planning\n  10. Contractor Systems\n  11. Security Capital Planning\nAppendix A: IG Section Report for Office of Management and Budget (OMB)\n\n\n\n                        Report #E-12-01 OIG Evaluation: FISMA 2012        2\n\x0cThe President signed into law the E-Government Act (Public Law 107-347), which includes Title\nIII, Information Security, on December 17, 2002. Title III permanently reauthorized the\nGovernment Information Security Reform Act of 2000 and renamed it the Federal Information\nSecurity Management Act (FISMA) of 2002. The purpose of FISMA was to strengthen the\nsecurity of the Federal government\xe2\x80\x99s information systems and develop minimum standards for\nagency systems.\n\nFISMA requires an agency\xe2\x80\x99s Chief Information Officer (CIO) and OIG to conduct annual\nassessments of the agency\xe2\x80\x99s information security program.\n\nOMB issued Memorandum M-12-20, FY 2012 Reporting Instructions for the FISMA and Agency\nPrivacy Management, on October 2, 2012. This memorandum provides instructions for\ncomplying with FISMA\xe2\x80\x99s annual reporting requirements and reporting on the agency\xe2\x80\x99s privacy\nmanagement program.\n\nResults of the CIO and OIG assessments are reported to the OMB thru CyberScope.\n\nAppendix A contains the IG Section Report as submitted to OMB thru CyberScope.\n\n                        Report #E-12-01 OIG Evaluation: FISMA 2012                              3\n\x0cThe objectives of this evaluation were to perform an independent assessment of the Farm Credit\nAdministration\xe2\x80\x99s (FCA or Agency) information security program and assess FCA\xe2\x80\x99s compliance with\nFISMA.\nThe scope of this evaluation covered FCA\xe2\x80\x99s Agency-owned and contractor operated information\nsystems of record as of September 30, 2012. FCA is a single program Agency with nine mission\ncritical systems and major applications.\nThe evaluation covered the eleven areas identified by the Department of Homeland Security (DHS)\nfor OIGs to evaluate.\nKey criteria used to evaluate FCA\xe2\x80\x99s information security program and compliance with FISMA\nincluded OMB and DHS guidance, National Institute of Standards and Technology (NIST) Special\nPublications (SP), and Federal Information Processing Standards Publications (FIPS).\nIn performing this evaluation, we performed the following steps:\n    \xef\x82\xa7   Identified and reviewed Agency policies and procedures related to information security;\n    \xef\x82\xa7   Examined documentation relating to the Agency\xe2\x80\x99s information security program and compared to NIST standards\n        and FCA policy;\n    \xef\x82\xa7   Conducted interviews with the CIO, IT Security Specialist, Technology Team Leader, Applications Team Leader, Client\n        Services and Communications Team Leader, and several IT Specialists;\n    \xef\x82\xa7   Built on our understanding from past FISMA evaluations;\n    \xef\x82\xa7   Observed security related activities performed by Agency personnel; and\n    \xef\x82\xa7   Performed tests for a subset of controls.\n\n\n                               Report #E-12-01 OIG Evaluation: FISMA 2012                                                     4\n\x0cThis evaluation represents the status of the information security program as of September 30,\n2012, and did not include a test of all information security controls.\n\nThe evaluation was performed at FCA Headquarters in McLean, Virginia, from September 2012\nthrough November 2012.\n\nObservations and results were shared with key information technology (IT) personnel\nthroughout the evaluation. On November 9, 2012, the CIO and OIG shared and discussed\ndrafts of their respective FISMA section reports.\n\nThis evaluation was performed in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation.\n\n\n\n\n                        Report #E-12-01 OIG Evaluation: FISMA 2012                              5\n\x0cFCA has an effective information security program that continues to mature and contains the\nfollowing elements:\n\n   \xef\x82\xa7   Information security policies and procedures\n   \xef\x82\xa7   Risk based approach to information security\n   \xef\x82\xa7   Systems categorized based on risk\n   \xef\x82\xa7   Risk based security controls implemented\n   \xef\x82\xa7   Security authorization process\n   \xef\x82\xa7   Continuous monitoring\n   \xef\x82\xa7   Standard baseline configurations\n   \xef\x82\xa7   Identity and access management program\n   \xef\x82\xa7   Remote access controls\n   \xef\x82\xa7   Security awareness and training program\n   \xef\x82\xa7   Incident response program\n   \xef\x82\xa7   Continuity of operations plan and tests\n   \xef\x82\xa7   Oversight of contractor systems\n   \xef\x82\xa7   Capital planning and investment process that incorporates information security requirements\n\n\n\n\n                             Report #E-12-01 OIG Evaluation: FISMA 2012                              6\n\x0cFCA has an engaged CIO with an experienced and well trained IT team. The CIO and IT team\nare proactive in their approach to information security.\n\nThe IT team was very responsive to minor suggestions made for improvement during the\nFISMA evaluation, and in many cases, the IT staff made immediate changes to strengthen the\ninformation security program where possible.\n\nOf the 11 areas OMB required OIGs to evaluate during 2012, FCA has established a program in\neach of the areas that is consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s guidelines.\n\n\n\n\n                        Report #E-12-01 OIG Evaluation: FISMA 2012                            7\n\x0cThe Agency has established an enterprise-wide continuous monitoring program that assesses\nthe security state of information systems that is consistent with FISMA requirements, OMB\npolicy, and applicable NIST guidelines. The continuous monitoring program includes the\nfollowing attributes:\n\n   \xef\x82\xa7   Continuous monitoring strategy reflected in Infrastructure Security Plan and Management Control Plan\n   \xef\x82\xa7   Malicious code protection\n   \xef\x82\xa7   Vulnerability scanning\n   \xef\x82\xa7   Log monitoring\n   \xef\x82\xa7   Notification of unauthorized devices\n   \xef\x82\xa7   Notification of changes or additions to sensitive accounts\n   \xef\x82\xa7   Ongoing monitoring of security alerts and updates from vendors with appropriate action\n   \xef\x82\xa7   Commitment to annual independent penetration test\n   \xef\x82\xa7   Annual internal controls assessment\n\n\n\n\n                             Report #E-12-01 OIG Evaluation: FISMA 2012                                       8\n\x0cThe Agency established and is maintaining a configuration management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines. FCA\xe2\x80\x99s\nsecurity configuration management program includes the following attributes:\n\n   \xef\x82\xa7   Documented policies and procedures for configuration management\n   \xef\x82\xa7   Standard baseline configuration for workstations and servers\n   \xef\x82\xa7   Regular scanning for vulnerabilities and compliance within the baseline configuration\n   \xef\x82\xa7   Controls to prevent unauthorized software\n   \xef\x82\xa7   Controls to prevent unauthorized devices\n   \xef\x82\xa7   Timely remediation of identified vulnerabilities\n   \xef\x82\xa7   Process for timely and secure installation of software patches\n   \xef\x82\xa7   Monitoring and analysis of critical security alerts to determine potential impact to FCA systems\n   \xef\x82\xa7   Implementation of the USGCB with deviations approved by the CIO\n\n\n\n\n                              Report #E-12-01 OIG Evaluation: FISMA 2012                                  9\n\x0cThe Agency has established and is maintaining an identity and access management program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines and\nidentifies users and network devices. The identity and access management program includes\nthe following attributes:\n\n   \xef\x82\xa7   Documented policies and procedures for requesting, issuing, and closing information system accounts\n   \xef\x82\xa7   Identifies and authenticates information system users before allowing access\n   \xef\x82\xa7   Detects unauthorized devices and disables connectivity\n   \xef\x82\xa7   Dual-factor authentication\n   \xef\x82\xa7   Strengthened controls over use of elevated privileges\n   \xef\x82\xa7   Information system accounts created, managed, monitored, and disabled by authorized personnel\n   \xef\x82\xa7   Periodic review of information system accounts to ensure access permissions provided to users is current and\n       appropriate\n   \xef\x82\xa7   Controls to prevent, detect, and notify authorized personnel of suspicious account activity or devices\n\n\n\n\n                             Report #E-12-01 OIG Evaluation: FISMA 2012                                               10\n\x0cThe Agency has established and is maintaining an incident response and reporting program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines. The\nincident response and reporting program includes the following attributes:\n\n   \xef\x82\xa7   Documented policies and procedures, security awareness training and articles, and a 24 hour Helpline for incidents\n       available to employees needing incident assistance\n   \xef\x82\xa7   Agency staff must report within one hour to the OMS Helpline any IT equipment, personally identifiable information\n       (PII), or sensitive information that is suspected to be missing, lost, or stolen\n   \xef\x82\xa7   Significant improvement in the timeliness of incident reporting by users during FY 2012\n   \xef\x82\xa7   During FY 2012, FCA had the following types of incidents:\n       \xe2\x96\xaa   Malware on laptops\n       \xe2\x96\xaa   Unauthorized computers detected and removed from the Agency\xe2\x80\x99s network\n       \xe2\x96\xaa   Unauthorized scans and attempted unauthorized access blocked from the Agency\xe2\x80\x99s network\n       \xe2\x96\xaa   Phishing email attempts\n       \xe2\x96\xaa   Stolen laptop, HSPD 12 card, and smart phone\n       \xe2\x96\xaa   Misplaced or lost HSPD 12 cards and smart phones (Several lost phone were recovered.)\n   \xef\x82\xa7   Analysis was performed for each incident before responding appropriately and timely to minimize further damage\n   \xef\x82\xa7   Log was maintained of security incidents, and appropriate officials were notified depending on the nature of the\n       incident\n\n\n\n\n                                Report #E-12-01 OIG Evaluation: FISMA 2012                                                  11\n\x0cFCA established and maintained a risk management program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines. The risk management program\nincludes the following attributes:\n\n   \xef\x82\xa7   Policy that general support system and major applications will operate with proper accreditation and undergo\n       reauthorization every 3 years or when a major system change occurs\n   \xef\x82\xa7   Addresses risk from organization, mission, business, and information system perspectives\n   \xef\x82\xa7   Information systems categorized based on FIPS 199 and SP 800-60\n   \xef\x82\xa7   Security plans based on risk that identify minimum baseline controls selected, documented, and implemented\n   \xef\x82\xa7   Periodic assessments of controls through a combination of continuous monitoring, self-assessments, independent\n       penetration tests, and security certifications\n   \xef\x82\xa7   Authorizing official considers items identified during the certification process and ensures appropriate action will be\n       taken before signing the \xe2\x80\x9cAuthorization to Operate\xe2\x80\x9d\n   \xef\x82\xa7   Regular communications with senior management\n\n\n\n\n                              Report #E-12-01 OIG Evaluation: FISMA 2012                                                         12\n\x0cThe Agency has established and is maintaining a security training program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines. The security training\nprogram includes the following attributes:\n\n    \xef\x82\xa7   Mandatory annual security awareness training for employees and contractors using small group sessions\n        \xe2\x96\xaa   Importance of HSPD 12 cards\n        \xe2\x96\xaa   Preventing and reacting to a virus\n        \xe2\x96\xaa   Personal use of agency devices\n        \xe2\x96\xaa   Social media\n        \xe2\x96\xaa   Password management\n        \xe2\x96\xaa   Proper care of IT equipment\n        \xe2\x96\xaa   Incident reporting\n    \xef\x82\xa7   Security training presentation at new employee orientation\n    \xef\x82\xa7   New employees and contractors required to certify they have read and understood FCA\xe2\x80\x99s computer security policies\n        and responsibilities\n    \xef\x82\xa7   Ongoing awareness program that includes e-mails and news alerts with security tips and notices of new threats\n    \xef\x82\xa7   Individual development plan (IDP) process used to identify specialized training for users with significant security\n        responsibilities\n    \xef\x82\xa7   Identification and tracking of employees requiring mandatory and specialized security training\n\n\n\n\n                                  Report #E-12-01 OIG Evaluation: FISMA 2012                                                  13\n\x0cThe Agency has established and is maintaining a POA&M program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines and tracks and monitors\nknown information security weaknesses. The POA&M program includes the following\nattributes:\n\n   \xef\x82\xa7   Policy for developing plans of action and milestones\n   \xef\x82\xa7   Process for developing plans of corrective action for significant information security weaknesses and tracking their\n       implementation\n   \xef\x82\xa7   Compensating controls until outstanding items are remediated\n\n\n\n\n                              Report #E-12-01 OIG Evaluation: FISMA 2012                                                      14\n\x0cThe Agency has established and is maintaining a remote access program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines. The remote access program\nincludes the following attributes:\n\n   \xef\x82\xa7   Policies and procedures for authorizing, monitoring, and controlling all methods of remote access\n   \xef\x82\xa7   Protection against unauthorized connections\n   \xef\x82\xa7   Virtual private network (VPN) for secure encrypted transmission of data outside of the Agency\xe2\x80\x99s network\n   \xef\x82\xa7   Encryption on local hard drives and USB drives to protect sensitive data and PII\n   \xef\x82\xa7   Forced encryption when creating CDs and DVDs\n   \xef\x82\xa7   Security policy and device management for Agency smart phones and authorized personal devices\n   \xef\x82\xa7   Remote contractor access for diagnostic purposes tightly controlled and closely supervised by IT staff\n\n\n\n\n                             Report #E-12-01 OIG Evaluation: FISMA 2012                                          15\n\x0cThe Agency established and is maintaining an enterprise-wide business continuity/disaster\nrecovery program that is consistent with FISMA requirements, OMB policy, and applicable\nNIST guidelines. The contingency planning program includes the following attributes:\n\n   \xef\x82\xa7   Business continuity plan and disaster recovery plan periodically updated to support the restoration of operations and\n       systems after a disruption or failure\n   \xef\x82\xa7   Alternative processing site and essential systems successfully activated during a government wide test\n   \xef\x82\xa7   Backup strategy includes daily and weekly backups of data and systems\n   \xef\x82\xa7   Off-site storage for backups\n   \xef\x82\xa7   Disaster recovery kit maintained offsite that contains critical software needed to recreate systems\n   \xef\x82\xa7   Employee notification system used to alert employees of office closing and other events\n\n\n\n\n                              Report #E-12-01 OIG Evaluation: FISMA 2012                                                       16\n\x0cThe Agency has established and maintains a program to oversee systems operated on its\nbehalf by contractors or other entities, including Agency systems and services residing in the\ncloud external to the Agency. The contractor system oversight program includes the following\nattributes:\n\n    \xef\x82\xa7   Written agreements for all contractor systems and interconnections\n    \xef\x82\xa7   Updates inventory of contractor systems and interconnections annually\n    \xef\x82\xa7   Reviews and updates security plans for contractor systems annually\n    \xef\x82\xa7   Performed due diligence reviews and monitored security controls for outsourced systems\n    \xef\x82\xa7   Performed site visits to review security documentation and verify financial and personnel system providers employed\n        adequate security measures to protect information, applications, and services\n    \xef\x82\xa7   Periodically reviewed user accounts and privileges\n\n\n\n\n                              Report #E-12-01 OIG Evaluation: FISMA 2012                                                      17\n\x0cThe Agency has established and maintains a security capital planning and investment program\nfor information security. The program includes the following attributes:\n\n   \xef\x82\xa7   Policies and procedures that stress importance of information security and protecting sensitive information\n   \xef\x82\xa7   Capital planning and investment process that incorporates information security requirements\n   \xef\x82\xa7   Enterprise architecture that ensures IT investments support core business functions and provides security standards\n   \xef\x82\xa7   Information security resources are available as planned\n\n\n\n\n                             Report #E-12-01 OIG Evaluation: FISMA 2012                                                      18\n\x0c'